Rule specs

[KosmX]

Matching rules

Standard way for representing JVM malware signatures.
Rules should be similar to Yara rules (just for JVM application) This means

• [ ] Binary sequence matches (mostly for asset matching)
• [ ] Filtered Java ASM instruction sequences (for example only check for method invocations, but all of them)
  Ability to match only in selected functions could be useful
• [ ] Optionally limit file/asm sequence matches to files/classes/functions (Updater.class/* or */<clinit>)
• [ ] filename matches (with regex)
• [ ] function name/id matches
• [ ] Match conditions like "at least 10" or "$a or $b and $c" (multiple match conditions has to be allowed)
• [ ] per-malware threat level and lookup ID. Lookup ID should direct users to a website dedicated to malware details and removal guide.
• [ ] per-rule match id allowing us to see exact matching details.

[KosmX]

1 malware can have multiple rules, 1 rule can have multiple matches and conditions